Acunetix Website Audit

15 October, 2010

Detailed Scan Report

Generated by Acunetix WVS Reporter (v7.0 Build 20101012)

Scan of http://achitech.eu5.org:80/
Scan details

Scan information
Starttime 15/10/2010 1:55:23 πμ
Finish time 15/10/2010 2:40:54 πμ
Scan time 45 minutes, 31 seconds
Profile Default

Server information
Responsive True
Server banner Apache
Server OS Unknown
Server technologies PHP

Threat level

Acunetix Threat Level 3

One or more high-severity type vulnerabilities have been discovered by the
scanner. A malicious user can exploit these vulnerabilities and compromise
the backend database and/or deface your website.

Alerts distribution

Total alerts found 4

High 4
Medium 0
Low 0
Informational 0

Knowledge base
List of open TCP ports

Open Port 587 / submission

Port Banner:
-eu5org.eu5.org ESMTP Exim 4.72 #1 Thu, 14 Oct 2010 18:12:14 -0500
-We do not authorize the use of this system to transport unsolicited,
and/or bulk e-mail. Send your reports to abuse@freewebhostingarea.com

DNS server running

A DNS server is running on UDP port 53.
Whois lookup
Whois result for IP address 178.63.23.102:

% This is the RIPE Database query service.

% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: This output has been filtered.

Acunetix Website Audit 2

% To receive output for a database update, use the "-B" flag.

% Information related to '178.63.23.64 - 178.63.23.127'

: 178.63.23.64 - 178.63.23.127: HETZNER-RZ11: Hetzner Online AG: Datacenter 11: DEc:
HOAC1-RIPEc: HOAC1-RIPE: ASSIGNED PAby: HOS-GUNlower: HOS-GUNroutes: HOS-GUN:
RIPE # Filtered
: Hetzner Online AG - Contact Role: Hetzner Online AG: Stuttgarter Stra?e 1: D-91710
Gunzenhausen: Germany: +49 9831 61 00 61no: +49 9831 61 00 62mailbox: abuse@hetzner.de:
*************************************************: * For spam/abuse/security issues please contact *: *
abuse@hetzner.de , not this address *: *************************************************::
*************************************************: * Any questions on Peering please send to *: *
peering@hetzner.de *: *************************************************: ORG-HOA1-RIPEc: MH375-
RIPEc: GM834-RIPEc: RB1502-RIPEc: SK2374-RIPEc: ND762-RIPEc: TF2013-RIPEc:
MF1400-RIPEhdl: HOAC1-RIPEby: HOS-GUN: RIPE # Filtered

% Information related to '178.63.0.0/16AS24940'

: 178.63.0.0/16: HETZNER-RZ-FKS-BLK2: AS24940: ORG-HOA1-RIPEby: HOS-GUN:
RIPE # Filtered
: ORG-HOA1-RIPEname: Hetzner Online AGtype: LIR: Hetzner Online AG
Attn. Martin Hetzner
Stuttgarter Str. 1
91710 Gunzenhausen
GERMANY: +49 9831 610061no: +49 9831 610062c: DM93-RIPEc: GM834-RIPEc:
HOAC1-RIPEc: MH375-RIPEc: RB1502-RIPEc: SK2374-RIPEc: TF2013-RIPEc: MF1400-RIPEref:
HOS-GUNref: RIPE-NCC-HM-MNTby: RIPE-NCC-HM-MNT: RIPE # Filtered

SMTP server running

A SMTP server is running on TCP port 587. Information gathered from this service:
EHLO returns:
250-eu5org.eu5.org Hello acunetix.com [85.72.52.240]
-SIZE 1048576
-PIPELINING
-STARTTLS
HELP returns:
214-Commands supported:
AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP

List of file extensions

File extensions can provide information on what technologies are being used on this website.
List of file extensions detected:

• php => 1 file(s)

Alerts summary

Cross Site Scripting

Affects Variations
/ 1
/cms 1
/cms/revert-content.php 1

Micro CMS v.3.5 SQL Injection

Affects Variations
/cms/revert-content.php 1

Acunetix Website Audit 3

Alert details

Cross Site Scripting

Severity High
Type Validation
Reported by module Scripting (XSS_in_URI.script)

Description
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in
the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will
execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the
browser.

Impact
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in
order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the
user. It is also possible to modify the content of the page presented to the user.

Recommendation
Your script should filter metacharacters from user input.

Detailed information

Quote from The Cross Site Scripting FAQ - http://www.cgisecurity.com/articles/xss-faq.shtml

Introduction

Websites today are more complex than ever, containing a lot of dynamic content making the experience for the user more
enjoyable. Dynamic content is achieved through the use of web applications which can deliver different output to a user
depending on their settings and needs. Dynamic websites suffer from a threat that static websites don't, called "Cross Site
Scripting" (or XSS dubbed by other security professionals). Currently small informational tidbits about Cross Site Scripting
holes exist but none really explain them to an average person or administrator. This FAQ was written to provide a better
understanding of this emerging threat, and to give guidance on detection and prevention.

"What is Cross Site Scripting?"

Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is
usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this
link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will
encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious
looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user
containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the
website. Many popular guestbook and forum programs allow users to submit posts with html and javascript embedded in
them. If for example I was logged in as "john" and read a message by "joe" that contained malicious javascript in it, then it
may be possible for "joe" to hijack my session just by reading his bulletin board post. Further details on how attacks like
this are accomplished via "cookie theft" are explained in detail below.

"What does XSS and CSS mean?"

Often people refer to Cross Site Scripting as CSS. There has been a lot of confusion with Cascading Style Sheets (CSS)
and cross site scripting. Some security people refer to Cross Site Scripting as XSS. If you hear someone say "I found a
XSS hole", they are talking about Cross Site Scripting for certain.

"What are the threats of Cross Site Scripting?"

Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user (Read
below for further details) in order to gather data from them. Everything from account hijacking, changing of user settings,
cookie theft/poisoning, or false advertising is possible. New malicious uses are being found every day for XSS attacks. The

Acunetix Website Audit 4

post below by Brett Moore brings up a good point with regard to "Denial Of Service", and potential "auto-attacking" of hosts
if a user simply reads a post on a message board.

"What can I do to protect myself as a vendor?"

This is a simple answer. Never trust user input and always filter metacharacters. This will eliminate the majority of XSS
attacks. Converting < and > to &lt; and &gt; is also suggested when it comes to script output. Remember XSS holes can
be damaging and costly to your business if abused. Often attackers will disclose these holes to the public, which can erode
customer and public confidence in the security and privacy of your organization's site. Filtering < and > alone will not solve
all cross site scripting attacks and it is suggested you also attempt to filter out ( and ) by translating them to &#40; and &#
41;, and also # and & by translating them to &#35 (#) and &#38 (&).

"What can I do to protect myself as a user?"

The easiest way to protect yourself as a user is to only follow links from the main website you wish to view. If you visit one
website and it links to CNN for example, instead of clicking on it visit CNN's main site and use its search engine to find the
content. This will probably eliminate ninety percent of the problem. Sometimes XSS can be executed automatically when
you open an email, email attachment, read a guestbook, or bulletin board post. If you plan on opening an email, or reading a
post on a public board from a person you don't know BE CAREFUL. One of the best ways to protect yourself is to turn off
Javascript in your browser settings. In IE turn your security settings to high. This can prevent cookie theft, and in general is
a safer thing to do.

"How common are XSS holes?"

Cross site scripting holes are gaining popularity among hackers as easy holes to find in large websites. Websites from
FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes have all had one
form or another of XSS bugs.

Every month roughly 10-25 XSS holes are found in commercial products and advisories are published explaining the threat.

"Does encryption protect me?"

Websites that use SSL (https) are in no way more protected than websites that are not encrypted. The web applications
work the same way as before, except the attack is taking place in an encrypted connection. People often think that
because they see the lock on their browser it means everything is secure. This just isn't the case.

"Can XSS holes allow command execution?"

XSS holes can allow Javascript insertion, which may allow for limited execution. If an attacker were to exploit a browser flaw
(browser hole) it could then be possible to execute commands on the client's side. If command execution were possible it
would only be possible on the client side. In simple terms XSS holes can be used to help exploit other holes that may exist
in your browser.

"What if I don't feel like fixing a CSS/XSS Hole?"

By not fixing an XSS hole this could allow possible user account compromise in portions of your site as they get added or
updated. Cross Site Scripting has been found in various large sites recently and have been widely publicized. Left
unrepaired, someone may discover it and publish a warning about your company. This may damage your company's
reputation, depicting it as being lax on security matters. This of course also sends the message to your clients that you
aren't dealing with every problem that arises, which turns into a trust issue. If your client doesn't trust you why would they
wish to do business with you?

Affected items
/
Details
URI was set to 1<ScRiPt>prompt(951911)</ScRiPt>
The input is reflected inside a text element.

Request
GET //1<ScRiPt>prompt(951911)</ScRiPt> HTTP/1.1
Host: achitech.eu5.org:80
Acunetix Website Audit 5
Connection: Keep-alive
Accept-Encoding: gzip,deflate

Response
HTTP/1.1 200 OK
Date: Thu, 14 Oct 2010 23:00:33 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: e9e709426ff2f010434cfafe17d1acd8=ka0lo6bp0f6e6033h8mercduh1; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: lang=deleted; expires=Wed, 14-Oct-2009 23:00:32 GMT; path=/
Set-Cookie: jfcookie=deleted; expires=Wed, 14-Oct-2009 23:00:32 GMT; path=/
Set-Cookie: jfcookie[lang]=deleted; expires=Wed, 14-Oct-2009 23:00:32 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 472
/cms
Details
URI was set to 1<ScRiPt>prompt(994896)</ScRiPt>
The input is reflected inside a text element.

Request
GET /cms/1<ScRiPt>prompt(994896)</ScRiPt> HTTP/1.1
Cookie: e9e709426ff2f010434cfafe17d1acd8=pps8p8bntg6k4hkshtq1b4nhl2
Host: achitech.eu5.org:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Response
HTTP/1.1 200 OK
Date: Thu, 14 Oct 2010 23:40:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: lang=deleted; expires=Wed, 14-Oct-2009 23:40:28 GMT; path=/
Set-Cookie: jfcookie=deleted; expires=Wed, 14-Oct-2009 23:40:28 GMT; path=/
Set-Cookie: jfcookie[lang]=deleted; expires=Wed, 14-Oct-2009 23:40:28 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 475
/cms/revert-content.php
Details
URI was set to 1<ScRiPt>prompt(992089)</ScRiPt>
The input is reflected inside a text element.

Request
GET /cms/revert-content.php/1<ScRiPt>prompt(992089)</ScRiPt> HTTP/1.1
Cookie: e9e709426ff2f010434cfafe17d1acd8=pps8p8bntg6k4hkshtq1b4nhl2
Host: achitech.eu5.org:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Response
HTTP/1.1 200 OK
Date: Thu, 14 Oct 2010 23:40:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: lang=deleted; expires=Wed, 14-Oct-2009 23:40:29 GMT; path=/
Set-Cookie: jfcookie=deleted; expires=Wed, 14-Oct-2009 23:40:29 GMT; path=/

Acunetix Website Audit 6

Set-Cookie: jfcookie[lang]=deleted; expires=Wed, 14-Oct-2009 23:40:29 GMT; path=/
Connection: close
Content-Type: text/html

Micro CMS v.3.5 SQL Injection

Severity High
Type Validation
Reported by module Web Applications

Description
Input passed to the "id" parameter in "/cms/revert-content.php" isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Confirmed in versions: 3.5. Other versions may also be affected.

Impact
An attacker could use this vulnerability to easily gain the administrator hash.

Recommendation
Edit the source code to ensure that input is properly sanitised.

Affected items
/cms/revert-content.php
Details
No details are available.
Request
GET
/cms/revert-content.php?type=newest&id=1%22%20UNION%20ALL%20SELECT%20null,null,11221133,
null,null/* HTTP/1.1
Pragma: no-cache
Host: achitech.eu5.org:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Response
HTTP/1.1 200 OK
Date: Thu, 14 Oct 2010 23:14:22 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: e9e709426ff2f010434cfafe17d1acd8=pi9rbb6ioe465d83qje3nnmfv3; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: lang=deleted; expires=Wed, 14-Oct-2009 23:14:21 GMT; path=/
Set-Cookie: jfcookie=deleted; expires=Wed, 14-Oct-2009 23:14:21 GMT; path=/
Set-Cookie: jfcookie[lang]=deleted; expires=Wed, 14-Oct-2009 23:14:21 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 537

Acunetix Website Audit 7